Common state-of-the-art firewall applications may be traditionally based on two rivaling designs. One is a classical, centralized architecture with the firewall application hosted on strategically located gateways. The other is a distributed architecture with the firewall application deployed on individual network hosts. Both architectures may have shortcomings.
The classical architecture divides the network into an inner perimeter and an outer perimeter, and the firewall lies between as a gateway. This topology may act to direct traffic between a node within the inner perimeter and a node on the outer perimeter through the firewall. However, the classical firewall may be blind to traffic passing between two nodes within the inner perimeter. The classical firewall may thus fail to protect network nodes from threats coming from within the inner perimeter. Once a host in the inner perimeter is compromised, other inner perimeter network nodes may be vulnerable to attacks.
To overcome the above limitations, personal firewall architecture has emerged. In this end-node architecture, the firewall application may be replicated throughout the network on all end nodes. An end-node may execute a firewall application to monitor and filter inbound and outbound traffic to and from the end-node. This design may protect against attacks originating from within the inner perimeter as well as from the outer perimeter. The network may be less vulnerable to the spread of mal-ware from peer nodes as a result. However each disparate node may require separate management. Thus, for example, information technology staff may be required to distribute new virus signatures across all network nodes, rather than merely to a centralized node. And, the replication of the firewall application on all nodes may represent a less efficient use of processing resources than with a centralized approach.